Everyone’s more familiar with cyber security than ever before as it’s now a frequent headline in the daily news and media. Every day we are updated about the latest cyber security breaches whether it’s Yahoo, Dropbox or LinkedIn, how many records have been stolen, or how much companies have paid in result from ransomware or financial fraud.
However, are employees and executives aligned with cyber security awareness? Are the risks and top discussions that happen in the break room similar to those that happen in the boardroom? The topics and concerns are farther apart than you could ever imagine.
As employees sit in the break room and discuss the latest cyber breaches in the news and how many records have been stolen it is not typically a major concern as they are not aware of the direct impact to their data or personal information. To them, it is just another cyber breach. As thousands of records are stolen daily the lack of direct impact means that many employees are not clear on the risk or the value of the data being stolen. Many companies have failed to educate employees on cyber security, while it is common to see companies creating complex IT policies, many companies fail to clearly communicate or ensure their employees understand their role and responsibility when it comes to security within the company. Companies fail to treat external breaches as cyber incidents and therefore reduces the severity or impact. Many employees bring their own devices, connect them to the company’s networks, store corporate data on them, and very few companies check those devices for security compliance or that security protocols are enabled.
In the break room, the biggest and most concerning cyber security concerns on the top of the employee’s mind is not so much their data, accounts or the companies they work for, but those topics about their nation state’s cyber security risk. Employees are concerned about the nation state’s defenses, critical infrastructure, and the continued influence of foreign nation states on their government decisions and economy. They are not too concerned about the nation state’s secrets being stolen, but the ability for a foreign state to shut down communications, electricity or transportation, which of course are things, our cultures and societies have become greatly dependent on. Employees believe it is the governments, technology companies, and their company’s responsibility to protect them from cyber-attacks. The cyber security topic at the break room is more likely to be about the cyber-attacks that influence the presidential election, the possibility of cyber terrorism against the government and critical infrastructure, and oh did you recently change your password?
Now just down the corridor, the executives are having their monthly meeting in the executive boardroom and after numerous topics cyber security eventually gets to the table. The main concern for the CEO is to know the business is running smoothly. While sales and operations are top of mind, the security of the company needs the same awareness and care. While juggling many business functions, CEOs don’t have the time to worry about small intricacies. New security breaches like ransomware make security a more pressing concern for enterprises now more than ever before. Most of the boardroom looks to the CISO for what the current state of the company’s cyber security is, however, many view it as a risk and therefore lack of business impact. The biggest topic that comes to the table is typically is whether the company is meeting government and industry regulatory compliance and will they pass the upcoming audit, what IT projects and security needs to be prioritized to ensure the audit is passed. The next topic is then about cyber security hygiene and awareness of the company’s lack of action in this area which in turn continues to push it back to a future need.
The challenge in the past is that it is difficult to measure cybersecurity risk for many organizations and this has put the CISO in a tough situation as to how you can show business value when it is not easy to measure. The metrics were not clear and basically, it was about keeping the existing security controls working, make continuous improvements where possible, and placing security on previously adopted technologies. Security has always been an afterthought and sometimes not possible to keep the same high level when security and privacy were not implemented by design. This means the risk always continues to get greater, making the CISO’s already tough job more challenging.
While cyber security is a growing topic in the boardroom the education of the boardroom needs to continue on the business impact of cyber security, clear metrics, the need to have cyber insurance, and a clear incident response and recovery plan.
So as you can see, employees are most worried about the nation states cyber security and critical infrastructure and not so much their own cyber security. They assume the company and governments will protect them where the boardroom is worried about meeting industry or government compliance and their employee’s cyber security hygiene, but fail to communicate to their employees about their responsibility for cyber security.
What are your cyber security discussions in the break room versus the boardroom? Are you worried about the nation states cyber security more than your own data?